HIEW32 Plugins Collection
1 Attachment(s)
Simple useful plugins for HIEW32, created 2017..2024:
--------------------------------------------------- CRACK.HEM HEM-PlugIn - compares binary files. Reports differences as CRK-file for using with CRACKER.EXE. Adds to CRK as comment all available defined HIEW32 labels/names. (Original idea by Jupiter). GOTO.HEM HEM-PlugIn for locate some positions in MZ & PE-EXE. PE_RWE.HEM HEM-PlugIn - sets attributes of all sections in PE into r/w/e. (See comment at post#3) (Original idea by me). PE_TAILS.HEM HEM-PlugIn - corrects "tails of sections" in PE. (Sets VirtSize>=PhisSize for all) (See comment at post#3) (Original idea by me). PE_TAIL!.HEM HEM-PlugIn - Reports if file location in "tail of sections" in PE. (Original idea by me). PE_HINTS.HEM HEM-PlugIn - for correcting import hints in 32-bit PE-file. (Original idea by FalseMaster). PE_OVL.HEM HEM-PlugIn - Manipulates with PE-file Overlay. PE_ASLR.HEM HEM-PlugIn - Sets/Clears RelocationsStripped Bit in PE-header. BLOCK.HEM HEM-PlugIn - operations with Block (Xor,Add,Sub string or file) (16Mb max.). (It's minor modification of standard HEM-plugin example). BL_MD5.HEM HEM-PlugIn - calculates MD5 sum of marked block (16Mb max.) MBYTES2.HEM HEM-PlugIn - Converts selected block of bytes into C/Asm "DB/DW/DD" code. Paste it from Clipboard. KBD_CYR.HEM HEM-PlugIn - for russify keyboard input in HIEW32.EXE. Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics) Starts when loaded, after pressing in HIEW32 <F11>-key. (Original idea by me). KBD_CYR.PNG - optional - Simple picture-help for KBD_CYR.HEM keyboard switcher. SECTOR.HEM - HEM-PlugIn for write sector(s) of disk to a file (256 sectors max.). PE_SPLIT.HEM - HEM-Plugin - Split & Join 32-bit PE-file. (Prototype is PEU by A.Quincey,1998) BL_FILE.HEM - HEM-PlugIn writes selected block to a file with HEX-address as filename. PE_TIME.HEM - HEM-Plugin - PE-file LinkTime<-> FileTime. (Original idea by FalseMaster) PE_Win9x.HEM - HEM-Plugin - Set for x32 PE-file OSVer/SubSys = 1/4 (for run on Win9x+). Locate.HEM - HEM-Plugin - Writes current file address with comment into file "Locate.txt". Copies address to clipboard (as Raw/VA/RVA). cursor.HEM - HEM-Plugin - Highlighting current line in Hex/Disasm modes in Hiew32. See attached archive (Updated 29 Mar 2024) ---------------------------------------------------------- See also: PlugIns from Fernando Merces (github.com/merces) - CopyAs.HEM - Hashes.HEM here: https://forum.exetools.com/showpost....3&postcount=40 See also: PlugIn from Tavis Ormandy (github.com/taviso) - KeyHelp.HEM here: https://forum.exetools.com/showpost....8&postcount=41 |
Fix to HIEW32.EXE v.8.43 for cacheing of GOTO address
1 Attachment(s)
Fix to HIEW32.EXE v.8.43 for cacheing of GOTO address (when <F5> pressed).
File HIEW32.EXE v.8.43 must be unpacked. Use CRACKER.EXE with given patch file "GOTO_843.CRK". Discussed here: https://exelab.ru/f/index.php?action...5147&page=6#11 --Add-- This feature is already implemented in the new HIEW32 v.8.60. |
===================================
Comment for HEM-plugin PE_TAILS.HEM =================================== Original PE-sections table of target example file: Quote:
Quote:
=================================== Comment for HEM-plugin PE_RWE.HEM =================================== Original PE-sections table of target example file: Quote:
Quote:
|
PE_ASLR.HEM PlugIn for HIEW32
for set/clear flag "Relocations Stripped" in PE-EXE file. See Start Post |
Updated:
KBD_CYR.HEM HEM-PlugIn v.0.000b- for russify keyboard input in HIEW32.EXE vv.7.51, 8.10, 8.15, 8.40, 8.41, 8.43, 8.63. Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics) Starts when loaded, after pressing in HIEW32 <F11>-key. Version 0.000b - added support for HIEW32.EXE v.8.63. See ->Start Post <- |
Mbytes2.HEM - HEM-PlugIn for converting HIEW multibyte selection into "DB/DW/DD" C/Asm code.
Based on standard HIEW32 plugIn example Mbyte2c.HEM by Dmitry.Andriyankov ,(c)2010. See ->Start Post <- |
I use this plugin a lot:
DIE's plugin for HIEW http://ntinfo.biz/index.html , check it the link there. Very useful. |
Quote:
Tks! |
By Hiew External Module
"Hem modules are not loaded until the key F11 is pressed in any of the modes (Text/Hex/Code). If you were brave enough to press the key F11 and engage Hem modules, Hiew will scan special folder and its subfolders for Hem files. For each found file Hiew loads it, looks for exported entry point, and uses it for invoking module initializer. Subsequent Hem menu invocations processed without directory scan. " zeuscane |
Quote:
Then select item in plugins catalogue: "Marked bytes to C / Asm Source", select mode "Byte / Word / Dword", choose language "C / Asm" - selection set of bytes will be converted into "DB" source code and result of conversion will be copied into clipboard. |
Here is my screen shot when i loaded file, marked ranges of bytes and pressed F11, but can not see "Marked bytes to C / Asm Source" option in plugins catalogue:
https://imgur.com/a/JsWJZON Regards, |
Hmm..
I'm tested this ->Ok<-. Note: Hiew selection of bytes must be ended by prssing <*> again. Then plugin that works with blocks will be present in plugins catalogue. |
Updated:
KBD_CYR.HEM HEM-PlugIn v.0.001a- for russify keyboard input in HIEW32.EXE (all versions). Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics) Starts when loaded, after pressing in HIEW32 <F11>-key. Version 0.001b - added support for any version of HIEW32.EXE . See ->Start Post <- |
I found this: https://github.com/lallousx86/pyhiew
And an example able to retrieve results from virustotal: https://github.com/matrosov/pyHiew/blob/master/vt_check.py |
Quote:
|
PE_OVL.HEM PlugIn for HIEW32
PE_OVL.HEM PlugIn for HIEW32
for Strip/Add/Save/Goto overlay of PE-EXE file. Logic: Quote:
Quote:
|
Note about using HEM-plugins
Not only everyone(c) knows that you can speed up
the launch of Plug-Ins using the "hemkeys.ini" file. For example: Quote:
|
Goto.HEM - PlugIn for HIEW32
GOTO.HEM - HEM-PlugIn for locate some positions in MZ-PE-EXE file.
Menu available: Quote:
|
Updated 5 PlugIns for manipulate with PE-EXE.
(Now if file opened in Hiew is not PE, then PE_xxxx PligIns not listed in Hiew32 PlugIns Menu). Updated full PlugIns archive. See ->Start Post <- |
Quote:
|
you say malware found @github? :)
how come... or maybe it started to happen after MS bought GH by 7 500 000 000 usd? :) |
) sendersu, he got little excited
|
Goto.HEM - PlugIn for HIEW32 (updated)
Goto.HEM - added new option "Goto PE CheckSum".
Menu available: Quote:
|
Happy NY 2 all
@Jupiter, test, please, HEM-plugin KBD_CYR.HEM with new version 8.66, if possible - because in leaked vmprotected version it doesn't works. |
@dosprog, The plugin loads in my legal copy. This is the output for characters a-z on an English keyboard.
Code:
https://i.imgur.com/SMnal27.png |
New plugins released 2020:
--> BASE64.HEM <-- (17 apr 2020) - HEM-PlugIn produces BASE64 string for marked block (16Mb max.) --> SECTOR.HEM <-- (18 apr 2020) - HEM-PlugIn for write sector(s) of disk to a file (256 sectors max.). --> PE_SPLIT.HEM <-- (24 apr 2020) - HEM-Plugin - Split & Join 32-bit PE-file. (Prototype is --> PEU <-- by A.Quincey,1998) --> BL_FILE.HEM <-- (26 apr 2020) - HEM-PlugIn writes selected block to a file with HEX-address as filename. |
--> PE_TIME.HEM <-- (23 apr 2020) - HEM-Plugin - PE-file LinkTime<-> FileTime.
|
Another excellent HEM plugin by Tavis Ormandy, view data structures in Kaitai format:
https://github.com/taviso/kiewtai |
Updated PlugIn MBYTE2.HEM
- Added "Raw" Option. - Fixed "Asm" transtation (removed invalid comma at EOL) Now converted bytes : C-code: Quote:
Asm-code: Quote:
Quote:
|
|
PE_Win9x.HEM PlugIn Released
PE_Win9x.HEM PlugIn Released.
This plug writes to x32 PE-EXE header values OSver=1 & SubSys=4 for make PE-EXE linked for Vista+ loadable on Win9x+, for example, on WinXP. Dounload: PE_Win9x.HEM v.0.001a |
CRACK.HEM PlugIn updated - v.0.002a
Added option: Rewrite or Append to CRK-file if CRK-file already exists.
CRACK.HEM v.0.002a (31 Dec 2020). |
CRACK.HEM PlugIn updated - v.0.003a
Added option: compare inside selected block only (optional, if block selected).
Download updated version: CRACK.HEM v.0.003a (2 Jan 2021). |
PE_TAIL!.HEM PlugIn Released (*NEW*)
PE_TAIL!.HEM PlugIn Released (*NEW*)
Detects if current address of PE/PE+ in a "tail" of PE-section or in PE-overlay or in MZ/PE header. Also detects valid VA and types report. Download: PE_TAIL!.HEM v.0.000a (17 Oct 2021) - Size 4kb UPX'ed. --Added-- Similar tool for 32-bit PE only: File Location Calculator (c)manhunter / PCL with little modification for checking sections tails: Download: FLC v.1.4.0.4 (mod) |
Locate.HEM PlugIn Released (*NEW*)
New PlugIn - Locate.HEM.
Creates/appends to file "Locate.TXT" string with current file position (or VA for PE/PE+) in current opened file. Download: LOCATE.HEM v.0.000a (2021) |
Hashes v1.02 (4 Sept 2023)
Hiew External Module (HEM) to calculate CRC-32, MD5, SHA-1, and SHA-256 hashes of files and blocks. What's new:
Home/Download: Code:
https://github.com/merces/hem-hashes |
BTW, do not click previously shared old exelab[.]ru links folks. They are NSFW right now!
|
CopyAs v1.00 (2 Aug 2023)
Hiew External Module (HEM) to copy block data in different formats. This module allows you to export the content of a marked block in in multiple formats such as:
What's new:
Home/Download: Code:
https://github.com/merces/hem-copyas |
Start post updated with actual collection (06 Feb 2024)
|
2 Attachment(s)
Quote:
Quote:
Rebuilded for compact size (~100Kb vs ~10Kb size). CopyAs.HEM v.1.00 Hashes.HEM v.1.02 Note: Hashes.HEM PlugIn requires bcrypt.dll (Vista+) present in system. |
All times are GMT +8. The time now is 11:33. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX